The first web sites were largely implemented with only two “tiers” of computers. Requests from users' web browsers were mainly handled by a first tier of web server computers. In some instances, a web server computer in the first tier would need to request data from a database server in the second tier of computers in order to formulate and send an appropriate response to the user's request. Over time, a third tier, commonly known as the “application tier”, was added in between the web server tier and the database tier. In both cases, protecting sensitive user information, such as user credential information, that the web site receives was relatively simple because the overall computing environment was limited and clearly defined.
With the ever-increasing popularity of the Internet, more and more online services, including web sites, are implemented as complex, large-scale distributed computer systems. Today, many online services have tens of online service applications or more providing end-user functionality executing on hundreds of computer servers or more in multiple data center facilities. Further, online service applications may be developed and administered by different engineering teams, often with little or no coordination between teams.
As more and more online services are implemented as large-scale distributed computer systems, a whole new set of challenges face online service developers and administrators: these previously centralized online services developed and administered by only a few or a small number of people are now composed of many online service applications developed and administered by multiple engineering teams. A particular set of challenges involves protecting sensitive user information that an online service application of the online service receives. Such sensitive user information may include, for example, user credential information (e.g., a password of the user or an authentication token of the user), personal financial information (e.g., a bank account number of the user), or certain personally identifiable information (PII) or certain sensitive personal information (SPI) (e.g., the user's social security number or the maiden name of the user's mother).
Often an online service application may need to store sensitive user information for later access. For example, consider a first online service that accesses a third-party online service on behalf of a user. For example, the third-party online service may be a third-party social networking service and the user may have granted the first online service permission to post status updates on behalf of the user to the user's news feed as operated by the third-party social networking service. As part of the user granting permission to the first online service, the first online service application may obtain an access token or other authorization information that represents the user's permission to share access to their account held with the third-party online service with the first online service. Upon obtaining the access token, the first online service may store the access token in a secure manner until it is needed at a later time to access the third-party online service on the user's behalf. If the first online service is careless with the access token by not storing the access token in a secure manner or allows the access token to fall into the hands of unauthorized persons, then users may lose trust in the first online service.
One possible way for an online service to protect sensitive user information is to cryptographically encrypt the information and the store the information in an encrypted format until it is needed by at a later time. In this way, if the encrypted information is stolen, the sensitive user information cannot be accessed without the encryption key. Unfortunately, different online service applications and different online service application engineering teams may employ different techniques for encrypting sensitive user information. For example, different engineering teams may use different levels of encryption key entropy or different encryption key rotation schedules. The result is an online service composed of many different online service applications that protect sensitive user information in various ad-hoc manners with the overall effect of providing less security and protection of users' sensitive information.
What is needed then is a system implementing a methodology that solves the basic problem of protecting sensitive user information is a consistent manner. Ideally, the solution would relieve online service applications of at least some of the burden of protecting sensitive user information that the online service applications receive. The subject innovations provide a solution for these and other needs.